From 969b2d211004d1b496636ce898fd68ca7375e264 Mon Sep 17 00:00:00 2001 From: Ivan Martinez-Ortiz Date: Wed, 24 Jun 2020 16:49:09 +0200 Subject: [PATCH] Updates the usage documentation of OpenID custom scopes (#9902) --- docs/sts/keycloak.md | 3 +++ docs/sts/web-identity.go | 10 +++++++++- docs/sts/web-identity.md | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/sts/keycloak.md b/docs/sts/keycloak.md index b66ab7423..61b37e91a 100644 --- a/docs/sts/keycloak.md +++ b/docs/sts/keycloak.md @@ -57,6 +57,7 @@ Set `identity_openid` config with `config_url`, `client_id` and restart MinIO ``` ~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account" ``` +> Note: You can configure the `scopes` parameter to restrict the OpenID scopes requested by minio to the IdP, for example, `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak Once successfully set restart the MinIO instance. ``` @@ -87,6 +88,8 @@ This will open the login page of keycloak, upon successful login, STS credential } ``` +> Note: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak. + These credentials can now be used to perform MinIO API operations. ## 5. Using MinIO Browser diff --git a/docs/sts/web-identity.go b/docs/sts/web-identity.go index 4d49cae21..621e30b7f 100644 --- a/docs/sts/web-identity.go +++ b/docs/sts/web-identity.go @@ -30,6 +30,7 @@ import ( "log" "net/http" "net/url" + "strings" "time" "golang.org/x/oauth2" @@ -79,6 +80,7 @@ var ( configEndpoint string clientID string clientSec string + clientScopes string port int ) @@ -131,6 +133,7 @@ func init() { "OpenID discovery document endpoint") flag.StringVar(&clientID, "cid", "", "Client ID") flag.StringVar(&clientSec, "csec", "", "Client Secret") + flag.StringVar(&clientScopes, "cscopes", "openid", "Client Scopes") flag.IntVar(&port, "port", 8080, "Port") } @@ -148,6 +151,11 @@ func main() { return } + scopes := ddoc.ScopesSupported + if clientScopes != "" { + scopes = strings.Split(clientScopes, ","); + } + ctx := context.Background() config := oauth2.Config{ @@ -158,7 +166,7 @@ func main() { TokenURL: ddoc.TokenEndpoint, }, RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port), - Scopes: ddoc.ScopesSupported, + Scopes: scopes, } state := randomState() diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md index 1050c88da..0fb45c10c 100644 --- a/docs/sts/web-identity.md +++ b/docs/sts/web-identity.md @@ -95,6 +95,8 @@ export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" +# Optional: Allow to specify the requested OpenID scopes (OpenID only requires the `openid` scope) +#export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email" minio server /mnt/export ```